1
2
Architecture and Application of Microsoft .NET Framework 3.5 Cryptography for Data Protection
Rafal LukawieckiStrategic ConsultantProject Botticelli LtdSession Code: ARC303
3
Objectives And AgendaOutline data protection requirementsExplain the status of today’s cryptographyIntroduce the cryptography APIs for Windows 7 and Windows Server 2008 R2
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.
© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.
4
Agenda
Data Protection GoalsState of Today’s CryptographyCryptography in Windows 7, Vista, and Windows Server 2008 and R2Demo: simple but fully working CNG code using .NET Framework 3.5Hidden Section {Crypto Primer}
5
Why We Need This Session?
Crypto is still cryptic, with lots of new stuffYou need Data Protection badlyFor every good crypto choice apps make several bad onesGood crypto starts in the architecture
6
Data Protection Goals
7
Defense in Depth
Policies, Procedures, & Awareness
OS hardening, updates, BitLocker, strong authentication, secure startup
Firewalls, VPN quarantine
Guards, locks, tracking devices, HSM, TPM
Compartments, IPSec, IDS
Application hardening
Cryptography
User education against social engineering
Physical Security
Perimeter
Internal Network
Host
Application
Data
8
Data Protection is Important
DP is at the heart of all defenceIt has to work when everything failedDP is typically the only defence when physical security has been broken
You need Data Protection in your application’s architecture!
9
Essence of Data Protection
Protect secrets, customer data, private information......by encrypting it with keys
Then, protect the keys:Human memory (passwords + DPAPI)Devices (smartcards, TPMs)Paper (and a good safe)Obfuscation (temporary protection)
EASY
VERYHARD
REALLY
10
Easiest Crypto, Please?
Just use DPAPISystem.Security.Cryptography
ProtectedData.ProtectProtectedMemory.Protect
Takes care of looking after keys
Or, if you are brave enough – stay with us!
11
Advanced DP in .NET Frameworks
System.Security.Cryptography:Rijndael, RSA, and DSA Managed providers and CryptoStream
Full crypto, not FIPS-certified - .NET Fx 2.0, 3.0, 3.5CNG Wrappers for full cryptography FIPS-certified .NET Fx 3.5 and same in 4.0
System.Security.Cryptography.Xml W3C XML Encryption and XML Signature standards
System.Security.Cryptography.PkcsPKCS#7 and Cryptographic Message Syntax (CMS) standards
12
Cryptography of Past, Present and its Problems
13
XP Recommendation
If you cannot use Windows 7, Windows Server 2008, R2, or even Vista…At present (Nov 2009), consider:
Rijndael or AES-128 (or AES-192, or AES-256)RSA 4096 (arguably 3072 or longer)“SHA-2” (i.e. SHA-256, or SHA-512)DSA (or SHA-2/RSA signatures)
14
DES, IDEA, RC2, RC5, TwofishNot Recommended
These are all symmetric non-recommendationsDES (Data Encryption Standard)
DO NOT USE DES!Triple DES (3DES) more secure, but better options exist
IDEA (International Data Encryption Standard)128 bit keys but designer weak by today’s standards
RC2 & RC5 (by R. Rivest)RC2 is older and RC5 newer (1994) - similar to DES and IDEA
Blowfish, Twofish – Good, but not a standard
15
Rijndael & AESRecommended
Present standardWinner of AES (Advanced Encryption Standard) competition
NIST (US National Institute of Standards and Technology) 1997-2000Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen
Recommended by NSA CNSSP-15 policySymmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)
AES is a specific way of using Rijndael
.NET Fx 3.0 RijndaelManaged is a full Rijndael
.NET Fx 3.5 AesManaged is a standards-compliant version of Rijndael
16
CAST and GOSTNot used widely anymore – avoid
CASTCanadians Carlisle Adams & Stafford Tavares64 bit key and 64 bit of data – not enough
GOSTSoviet Union’s “version” of DES but with a clearer design and many more repetitions of the process256 bit key but really 610 bits of secret, so pretty much “tank quality”Backdoor? Who knows…
17
Rely on Cryptosystems
Never use just an algorithmAlways use entire cryptosystemE.g.
AES used in a simple “loop” to encrypt a stream of data destroys securityUse a block chaining mode
CNG supports CBC, CFB, and as of Vista SP1/WS08 also CCM, and GCM
Easiest way: .NET Fx CryptoStream applies your chosen symmetric algorithm correctly
18
Dangerous Implementations
Cryptographic applications from not-well-known sourcesI “just downloaded this library”
Insist on using built-in systems where possible:Microsoft OS: CNG, CAPI, CAPICOM etc.Smartcards: certified CSPs/KSPsElsewhere: FIPS-140-2 compliant implementations
See csrc.nist.gov/cryptval
19
RC4Generally Not Recommended
SymmetricFast, streaming encryption
R. Rivest in 1994Originally secret, but “published” on sci.crypt
Related to “one-time pad”, theoretically most secureBut!It relies on a really good random number generator
And that is a problem
Nowadays: use AES with a chaining mode
23
XP/2003 Era of Crypto APIsStill used and supported
Microsoft CryptoAPI (CAPI) 2.0 was the interface to all CSPs
Cryptographic Service ProvidersBuilt-in or smartcard-based
.NET Framework 1.1 and 2.0, and 3.0 wraps most of the functionality of CAPI in namespace System.Security.CryptographyOr you could use the CAPICOM library
24
Contemporary Cryptography
26
The Golden Standard
US NSA and NIST recommended “Suite-B” protocolsMicrosoft supports Suite-B only in Windows 7, Windows Server 2008 and R2, and Vista
Internally Windows does not use weaker algorithms than Suite-B
But, of course, you can if you wish – please don’t except for backwards compatibility
27
Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm
Mandatory set of cryptographic algorithms for non-classified and classified (SECRET and TOP-SECRET) USG needs since 2008
Except a small area of special-security needs (e.g. nuclear security) – guided by Suite A (definition is, naturally, classified)Widely used world-wide, as of 2009
28
Mathematical Designs
Many cryptographic algorithms (e.g. DSA) rely on a class of mathematical designs related to the concept of discrete logarithmsThese can be implemented over the finite field of any abelian group
Normally, this means using integers modulo a prime number
Alternatively, elliptic curve groups could be used
29
Elliptic Curve CryptographyECC
More efficient design, fewer bits of keyHarder to breakSignificantly faster algorithmsUsed to enhance existing algorithms, such as DH or DSA
30
Suite-B Algorithms
Encryption: AESDigital Signature: EC-DSAKey Exchange: EC-DH or EC-MQVHashing: SHA-2
31
Suite-B Encryption
AESFIPS 197 (with keys sizes of 128 and 256 bits)Rijndael with 128 bit data blocks onlyKeys of 192 bits not used
Most 256 bit implementations much slower than 128
Anything of 84 bits or more in this class considered “good enough” commercially (Nov 2009)
32
Suite-B Digital Signatures
Elliptic Curve Digital Signature Algorithm (EC-DSA)
FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
Microsoft also supports 521-bit keys
Classical DSA applied over the algebra of finite fields of elliptic curves
33
Suite-B Key ExchangeThe Best Bit of Suite-B
Elliptic Curve Diffie-Hellman (or Elliptic Curve MQV)
Curves with 256 and 384-bit prime moduliMicrosoft also supports 521-bits
Susceptible to man-in-the-middle attackSo requires authentication
Using digital signatures, certificates, or pre-shared secrets
34
Diffie-Hellman ConceptuallyThis is non-EC, normal DH
1. Alice and Bob openly agree on a (large) prime number p and a base integer gp = 83, g = 8
2. Alice chooses a private secret integer a = 9, and then sends Bob public (ga) mod p
(89) mod 83 = 53. Bob chooses a private secret integer b = 21, and then sends Alice public
(gb) mod p(821) mod 83 = 18
4. Alice computes (((gb) mod p)a) mod p(189) mod 83 = 24
5. Bob computes (((ga) mod p)b) mod p(521) mod 83 = 24
24 is the shared secret – never sent over the network!
36
Suite-B Hashing
Secure Hash Algorithm “2”FIPS 180-2 (using SHA-256 and SHA-384)
MD5 and SHA-0 have been broken and SHA-1 has been theoretically and allegedly practically brokenSHA-2 should suffice for a few years, but ultimately it must be replaced
SHA-2 allows: 224, 256, 384, and 512 bit lengths
37
APIs for Suite-B Today?
That’s what we have been waiting for
38
Cryptography APIs for Suite-B
39
Cryptographic Next Generation APICNG
CAPI 1.0 has been deprecatedMay be dropped in future Windows
CNGOpen cryptographic API for Windows 7, Server 2008 and R2, and VistaPlug in kernel or user mode algorithmsEnables policy-based enterprise crypto configuration
40
Main CNG Features1. Cryptography agnostic2. Kernel-mode for performance and security (better performance
than CAPI 1.0)3. Aim for FIPS-140 Certification
140-2 and Common Criteria (CC) on selected platforms140-1 everywhereAim for CC compliance for long-term key storage and audit
4. Suite-B of course, but also supports all existing algorithms available through CryptoAPI 1.0
5. Key Isolation and Storage using TPMs6. Developer-friendly model for plug-ins
42
Other APIs
In addition to CNG:.NET Framework System.Security.Cryptography
3.0 does not manage CNG3.5 and 4.0 manage CNG
TBS: TPM Base ServicesFor interaction with Trusted Platform Modules
Certificate Enrolment API
43
CNG: Cryptographic Primitives Architecture
45
So, Who Encrypts?Reason for the Two APIs
“B-API” ifYou want OS to do all the encryption, you use the “B-API”
Microsoft implementation or one you have addedRealistically: use for symmetric encryption
“N-API” ifYou have a smartcard, HSM (hardware security module), a TPM, or a suitable CSP
All computations performed by the deviceRealistically: use for key exchange only
Generally, OS has little or nothing to do
47
Using CNG – Encryption StepsFollow this process:1. Open a CNG Algorithm Provider
BCryptOpenAlgorithmProvider 2. Generate or import keys3. Calculate the size of encrypted data
Call BCryptEncrypt with NULL for pbInput paramter
4. Encrypt data by calling BCryptEncrypt againRepeat this step as needed using chaining (not loop)
5. Output the result6. Close the provider, unless caching, and clean-up
BCryptCloseAlgorithmProvider
48
Randomness
Use BCryptGenRandomThe default generator at least FIPS-186-2 compliantUses entropy gathered over timeYou can add your own entropy
You can also specify a different generator for all calls
Needless to say, do not use Rnd() etc. from your favourite language
50
CNG and .NET Fx 3.5 and 4.0New algorithms:
AesCryptoServiceProvider, ECDiffieHellmanCng, ECDSACng, SHA1Cng, SHA256Cng, SHA384Cng, SHA512Cng
Avoid “old” (.NET 3.0 and earlier) providersNo FIPS certificationHarder to use
CngKey wraps “NCrypt” And some functionality of “BCrypt”
Use CngUIPolicy to enforce user actions on private keys
51
Using .NET Fx 3.5 and CNG
1. Sender and recipient use CngKey to access or generate their private/public key-pairs
CngKey will use your security device if present2. Parties exchange their public key (serialising and/or
wrapping it)3. Sender and recipient use ECDiffieHellmanCng to
generate a shared secret key by deriving it from their own and other party’s keys
4. Use AesCryptoServiceProvider and the CryptoStream to encrypt data
52
Use of ECDiffieHellmanCng
// First, point CngKey to your security device or a CSPECDiffieHellmanCng sender = new ECDiffieHellmanCng();sender.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;sender.HashAlgorithm = CngAlgorithm.Sha256;
ECDiffieHellmanCng recipient = new ECDiffieHellmanCng();recipient.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;recipient.HashAlgorithm = CngAlgorithm.Sha256;
// Exchange the x.PublicKey by serialising and sending thembyte[] recipientKey = recipient.DeriveKeyMaterial(sender.PublicKey);byte[] senderKey = sender.DeriveKeyMaterial(recipient.PublicKey);
53
Conceptual Use of AES with CNG
// Remember an IV (in plaintext) – can be randomAesCryptoServiceProvider myAES = new AesCryptoServierProvider();myAES.Key = sender.Key;
FileStream fsEncrypted = new FileStream(sOutputFilename, FileMode.Create, FileAccess.Write);
ICryptoTransform aesencrypt = myAES.CreateEncryptor();CryptoStream mycryptostream = new CryptoStream(fsEncrypted, aesencrypt, CryptoStreamMode.Write);
// Now just write to myCryptoStream like a normal file stream – the output will be encrypted
54
CNG in Actiondemo
55
ReferencesGet a bigger CMG sample from:
http://msdn.microsoft.com/en-us/library/cc488018.aspx
My demo (and this PPT) at: http://projectbotticelli.com/downloads/public/ Read sci.crypt (incl. archives), subscribe to CryptogramFor more detail, read:
Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5, see http://www.esecurity.ch/Books/cryptography.html)Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlCryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)
56
Summary
Today’s cryptography has just accelerated its evolutionWindows Vista and Windows Server 2008 are at the front of innovation in this fieldUnleash the awesome power of Suite-B with CNG by using .NET Framework 3.5!
57
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
58
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
59
Please join us for theCommunity Drinks this evening
In Halls 3 & 4from 18:15 – 19:30
60
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.
© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.